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Computer Security: A Summary of Selected Federal 
Law, Executive Orders, and Presidential Directives 



Summary 

This report provides a short summary of selected federal laws, executive orders, 
and presidential directives, currently in force, that govern computer security. The 
report focuses on the major roles and responsibilities assigned various federal 
agencies in the area of computer security. This report will not be updated. 

One major area of federal activity in computer security deals with securing 
federal computer systems. The roles and responsibilities for securing federal 
computer systems are split between national security systems and all other federal 
systems. The Federal Information Security Management Act of 2002 authorizes the 
Director of the Office and Management and Budget to oversee the development of, 
and compliance with, security standards and guidelines, developed by the National 
Institute of Standards and Technology and promulgated by the Secretary of 
Commerce. These authorities, however, do not apply to computer systems 
considered to be national security systems. The roles and responsibilities for 
securing national security systems are established by National Security Directive 42 
(NSD-42). NSD-42 establishes what is now called the Committee on National 
Security Systems, which it authorizes to develop, and require compliance with, 
standards and guidelines for national security systems. 

In general, the federal government does not regulate the security of non- 
government computer systems. However, the federal government does require 
certain information held on non-government systems to be protected against 
unauthorized access and disclosure, primarily out of privacy considerations. To 
date, this has been limited to financial information (Gramm-Leach-Bliley Act) and 
medical information (Health Insurance Portability and Accountability Act of 1996). 
A number of regulatory agencies have authority for developing and enforcing 
standards for financial information. The Secretary of Health and Human Services has 
authority to develop and enforce standards for medical information. The Sarbanes- 
Oxley Act of 2002 requires certain companies to certify the accuracy of their internal 
financial controls. The Security Exchange Commission has authority to develop 
standards and enforce these regulations. 

Although it currently has a limited role in securing the nation's overall 
information infrastructure, the federal government does, through the Department of 
Homeland Security, work with and encourage the private sector, state and local 
government, academia, and the general public to protect the nation's information 
infrastructure. This role is authorized in a generic sense for all critical infrastructure 
by the Homeland Security Act of 2002. It is also reinforced more specifically in 
Homeland Security Presidential Directive No. 7 and the National Strategy for 
Securing Cyberspace. To date, these activities are voluntary for non-federal entities. 

Other roles established for the federal government include: investigation and 
prosecution of federal computer crimes; assisting state and local law enforcement 
entities in their investigation and prosecutions; and, developing the nation's expertise 
in information security. 
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Computer Security: A Summary of Selected 

Federal Law, Executive Orders, and 

Presidential Directives 



Introduction 

This report provides a short summary of selected federal laws, executive orders, 
and presidential directives, currently in force, that govern computer security. The 
report focuses its discussion of the roles and responsibilities for computer security 
that have been assigned different federal departments and agencies, some of which 
were assigned 20 or more years ago. 

This report is primarily concerned with the security of computer systems and the 
electronic information contained on, or transmitted by, those systems from 
unauthorized access, use, disclosure, disruption, modification or destruction, in the 
context of information services. The report does not discuss broader issues 
associated with information assurance which includes such concerns as the marking 
and handling of information in both electronic and physical formats, the assignment 
of certain status to certain types of information, and determining who should and 
should not have authorized access to it. The report also touches on 
telecommunications to a limited extent. Even though the technologies associated 
with computers and telecommunications have become inextricable, there remains a 
distinction between the use of that technology for information services (i.e. the 
Internet) and its use, in some cases of the very same hardware, for telecommunication 



The major federal role and responsibility in computer security relate primarily 
to securing federally owned, leased, or operated systems (or those systems operated 
for the federal government under contract or by third parties). In general, the federal 
government does not regulate the security of non-government computer systems 
(other than those used by contractors for the federal government). However, the 
federal government does require certain information held on non-government 
systems to be protected against unauthorized access and disclosure. In addition, as 
part of its effort to enhance the security of the nation's critical infrastructure, the 
federal government is working with and encouraging the private sector to improve 
security of the nation's information infrastructure more generally. 

Another role the federal government plays in computer systems security is to 
investigate and prosecute federal computer crimes. The federal government also 
offers assistance to state and local law enforcement entities in their investigation and 
prosecution of computer activities made illegal at the state level. Finally, the federal 
government has programs in research and development and in the development of the 
nation's expertise in computer security. 
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Securing Federal Computer Systems 

Non-National Security Systems. Building upon the Computer Security 
Act of 1 987 (P.L. 1 00-35), the Paperwork Reduction Act of 1 995 (P.L. 1 04- 1 3), and 
the Information Technology Management Reform Act of 1996 (i.e. Clinger-Cohen 
Act, P.L. 104- 106, Division E), the Federal Information Security Act of 2002 (P.L. 
107-347, Title III) provides the basic statutory requirements for securing federal 
computer systems. The Federal Information Security Act (FISMA) requires each 
agency to inventory its major computer systems, to identify and provide appropriate 
security protections, and to develop, document, and implement an agency-wide 
information security program. 

FISMA authorizes the National Institute of Standards and Technology (NIST) 
to develop security standards and guidelines for systems used by the federal 
government. It authorizes the Secretary of Commerce to choose which of these 
standards and guidelines to promulgate. FISMA authorizes the Director of the Office 
of Management and Budget (OMB) to oversee the development and implementation 
of (including ensuring compliance with) these security policies, principles, standards 
and guidelines. 

To help fulfill his responsibilities, FISMA authorizes the Director of OMB to: 
require agencies to follow the standards and guidelines developed by NIST and 
prescribed by the Secretary of Commerce; review agency security programs annually 
and approve or disapprove them; and, take actions authorized by the Clinger-Cohen 
Act (including budgetary actions) to ensure compliance. 

FISMA also requires agencies to conduct, annually, an independent evaluation 
of their security programs which includes an assessment of the effectiveness of the 
program, plans, and practices and compliance with FISMA requirements. The result 
of those evaluations are forwarded to the Director of OMB, who is to summarize the 
results each year in a report to Congress. 

FISMA also directs the Director of OMB to "ensure the operation" of a federal 
information security incident center. Among the missions of this center are: 
providing timely technical assistance to federal agencies in detecting and handling 
computer incidents; and, compiling and analyzing incident data. Such a center 

existed prior to FISMA. The Federal Computer Incident Response Capability 
(FedCIRC) evolved out of a pilot project first begun at NIST in 1 996. FedCIRC was 
transferred to the General Services Administration, before being transferred again to 
the Department of Homeland Security. This capability is now located within the 
National Cyber Security Division in the Information Analysis and Infrastructure 
Protection Directorate. 

The above mentioned roles and responsibilities of NIST, the Secretary of 
Commerce, and the Director of OMB (except for the Director's authority to take 
related budgetary actions and to report to Congress), do not extend to computer 
systems identified as national security systems. 
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National Security Systems. FISMA 1 defines a national security system, in 
statute, as: 

Any computer system (including any telecommunications system) used or 
operated by an agency or by a contractor of an agency, or other 
organization on behalf of an agency — 

(i) the function of which — 

(I) involves intelligence activities; 

(II) involves cryptologic activities related to national security; 
(HI) involves command and control of military forces; 

(IV) involves equipment that is an integral part of a weapon or 

weapons system; 

(V) ...is critical to the direct fulfillment of military or 
intelligence missions; or 

(ii) is protected at all times by procedures established for information 
that have been specifically authorized under criteria established by an 
Executive Order or an Act of Congress to be kept classified in the 
interest of national defense or foreign policy. 

The definition explicitly excludes systems that are used for routine administrative and 
business applications (including payroll, finance, logistics, and personnel 
management applications). 

The roles and responsibilities for securing national security systems are outlined 
in National Security Directive 42 (NSD-42), signed July 5, 1990 by President 
George H. W. Bush. 

NSD-42 establishes the National Security Telecommunications and Information 
Systems Security Committee, now called the Committee on National Security 
Systems (CNSS). 2 CNSS is an interagency committee, chaired by the Department 
of Defense. Among other assignments, NSD-42 directs the CNSS to: provide system 
security guidance for national security systems to executive departments and 
agencies; and, submit annually to the Executive Agent (see below) an evaluation of 
the security status of national security systems. NSD-42 also directs the Committee 
to interact, as necessary, with the National Communications System Committee of 
Principals (see below). 

NSD-42 assigns membership to the Committee to voting representatives of the 
Secretaries, Directors, and Administrators of the following departments and agencies: 
State, Treasury, Defense, Commerce, Transportation, Energy, Office of Management 



1 P.L. 107-347,§ 301(b)(1). 

2 The name was changed by Executive Order (E.O.) 13231 , signed October 16, 2001. E.O. 
1 3286, signed February 28, 2003, and which amended E.O. 1323 1, kept the name change. 
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and Budget, Central Intelligence, 3 Federal Bureau of Investigations, Federal 
Emergency Management Agency (FEMA), General Services Administration, 
National Security Agency, Defense Intelligence Agency. Also included are: the 
Attorney General, the Assistant to the President for National Security Affairs, 
Chairman of the Joint Chief of Staff, the Chiefs of Staff of the Army and the Air 
Force, the Chief of Naval Operations, the Commandant of the Marine Corps, and the 
Manager of the National Communications System (NCS). FEMA and NCS are now 
parts of the Department of Homeland Security. 

NSD-42 names the Secretary of Defense as the Executive Agent of the 
Government for National Security Telecommunications and Information Systems 
Security. NSD-42 directs the Executive Agent to implement policies and procedures 
that: ensure the development of plans and programs necessary to secure national 
security systems; procure for, and provide to, executive departments and agencies 
technical security materials, and other technical assistance; conduct, approve, or 
endorse research and development of security techniques and equipment; and to 
operate or coordinate the activities of federal technical centers related to national 
security systems. NSD-42 also assigns to the Executive Agent the responsibility for 
reviewing and assessing the National Manager's (see below) recommendations on 
national security systems programs and budgets for executive departments and 
agencies. The Executive Agent may make appropriate budgetary and programmatic 
recommendations to agency heads as well as to the National Security Council and to 
the Office of Management and Budget. In addition, NSD-42 instructs the Executive 
Agent to report the security status of national security systems to the President 
through the National Security Council. 

NSD-42 also designates the Director of the National Security Agency as the 
National Manager for National Security Telecommunications and Information 
Systems Security. Among the authorities granted the National Manager are: examine 
U.S. Government national security systems and evaluate their vulnerability to foreign 
interception and exploitation; conduct, approve, or endorse research and development 
of security techniques and equipment; review and approve all security related 
standards, techniques, systems, and equipment for national security systems; assess 
the overall security posture of and disseminate information on threats to and 
vulnerabilities of national security systems; operate a central technical center to 
evaluate and certify national security systems; prescribe minimum standards, 
methods, and procedures for protecting national security systems; annually review 
and assess the national security systems programs and budgets of department and 
agencies, individually and in the aggregate, and recommend alternatives to the 
Executive Agent; and, enter into agreements for the procurement of technical security 
materials and equipment and their provision to executive departments and agencies, 
and when appropriate, to government contractors and foreign governments. 



3 The Director of Central Intelligence also cites (Director of Central Intelligence 
Directive 6/3-Policy) his authority to protect intelligence sources and methods 
granted under the National Security Act of 1 947, Executive Orders 12333 and 1 2958, 
and NSD-42, to develop, and require compliance with, standards and guidelines to 
protect intelligence information on computer systems. 
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Summary. To summarize, the Director of OMB is authorized to oversee the 
development of, and ensure compliance with, policies, principles, standards and 
guidelines governing the security of all federal computer systems, except for national 
security computer systems. The Committee on National Security Systems has that 
authority for national security systems (which include both information and 
telecommunication systems). The Director of Central Intelligence cites similar 
authority for computer systems that contain intelligence information. NIST has the 
responsibility for developing security standards and guidelines for all federal 
computer systems, except national security systems. The National Security Agency 
has that authority for national security systems. 

National Strategy. Although carrying less authority than law, executive 
order, or presidential directive, the National Strategy to Secure Cyberspace, released 
in February 2003 , 4 makes a number of recommendations aimed at the largest 
computer network operators, including the federal government, to the smallest of 
home users. Three recommendations direct specific federal agencies to take specific 
actions to improve the security of federal systems. The Strategy recommends DHS 
use exercises to test the security of federal systems and to report the results of those 
exercises to the Director of OMB. It also directs DHS to work with the General 
Services Administration to develop an improved patch management system, to ensure 
that agencies have made up-to-date security modifications to their software. The 
Strategy also directs OMB to coordinate the development of a research and 
development strategy for information technology security and to update this annually. 

National Communication System. Because of the reliance of computer 
networks on telecommunication assets and the use of computers in 
telecommunication networks, and the inextricable nature of the technologies 
involved, it is necessary to spend a few paragraphs discussing the National 
Communication System. NSD-42 makes reference to the National Communication 
System's Committee of Principals. The National Communication System (NCS) was 
first established by Presidential Memorandum No. 252, signed by President Kennedy 
in 1963 following the Cuban Missile Crisis. The Memorandum called for 
establishing a NCS by linking together, and improving on an evolutionary basis, the 
communication facilities and components of various federal agencies. This original 
memorandum since has been amended and superseded over time. The Executive 
Order currently in force is Executive Order 12472, signed by President Reagan on 
April 3, 1984, which was amended slightly by President George W. Bush in 
Executive Order 13286, on February 28, 2003. 

E.O. 1 2472 established (i.e. defined) a national communication system as those 
telecommunication assets owned or leased by the federal government that can meet 
the national security and emergency preparedness needs of the federal government, 
together with an administrative structure that could ensure that a national 
telecommunications infrastructure is developed that is responsive to national security 
and emergency preparedness needs. The administrative structure includes a National 



4 The Strategy was released by the President's Critical Infrastructure Protection Board. The 
Board was established by Executive Order 13231 (October 18, 2001). The Board was 
dissolved by Executive Order 13286 (February 28, 2003). 
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Communication System Committee of Principals, an Executive Agent, and a 
Manager. 

The National Communication System Committee of Principals consists of those 
agencies, designated by the President, that own or lease telecommunication assets 
identified as part of the National Communication System, or which bear policy, 
regulatory, or enforcement responsibilities of importance to national security and 
emergency preparedness telecommunications. The mission of the Committee of 
Principals is: to assist (including making recommendations to) the President, the 
National Security Council, the Homeland Security Council, the Director of the Office 
of Science and Technology Policy (OSTP), and the Director of the Office of 
Management and Budget (OMB) in exercising their functions and responsibilities 
associated with the National Communication System. Together the National Security 
Council, the Homeland Security Council, the Director of OSTP, and the Director of 
OMB, in consultation with the Executive Agent and the Committee of Principals, 
determine the requirements for the national communication system. The Committee 
of Principals also works closely with private sector service providers, which own and 
operate some of the assets that make up the NCS, through the National Security 
Telecommunication Advisory Committee. 

The Committee of Principals also; acts as forum in which Members may discuss 
and report on ongoing and perspective national security and emergency planning 
plans and programs; and, ensures that the NCS is responsive, capable of satisfying 
priority telecommunication requirements, and survivable to the maximum extend 
practicable at all times, including times of crisis and emergency. Infrastructure 
security is specifically mentioned as one of the concerns of the NCS (Section 
1(c)(3)). 

The responsibilities of the Executive Agent include: designating the NCS 
Manager; ensuring the NCS conduct unified planning and operations; and, ensuring 
coordination with emergency management activities of the Department of Homeland 
Security. The original EO designated the Secretary of Defense as the Executive 
Agent. The Homeland Security Act of 2002 transferred the NCS to the Department 
of Homeland Security. To reflect this change, Executive Order 13286 made the 
Secretary of Homeland Security Executive Agent. 

The responsibilities of the NCS Manager include preparing for consideration by 
the Committee of Principals: recommendations on an evolutionary 
telecommunications architecture to meet current and future national security and 
emergency preparedness needs; plans and procedures for the allocation and use, 
including the priorities and preferences, of federally owned or leased assets under all 
emergency or crisis conditions; plans and standards for reducing impediments to 
interoperability; tests and exercises for evaluating capabilities; budget reviews; and, 
implement any approved plans or programs. The Manager also chairs the Committee 
of Principals. As result of the transfer of the NCS to the Department of Homeland 
Security, the Secretary of Homeland Security, as Executive Agent, has designated the 
Assistant Secretary for Infrastructure Protection as the NCS Manager. 

EO 12472 also established a joint industry-government National Coordinating 
Center (NCC) which assists in the initiation, coordination, restoration, and 
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reconstruction of national security and emergency preparedness telecommunication 
services or facilities under all conditions. 

Protecting Information on Private Systems 

There are currently no general federal requirements for private entities other 
than federal contractors operating systems for the federal government to secure their 
computer systems. However, there are requirements for entities who hold or process 
certain types of personal information to ensure the confidentiality of that information. 
To date, this includes financial information and medical information. There is also 
a federal requirement that certain firms that register with the Security and Exchange 
Commission (SEC) must include in the financial reports an assessment of their 
internal financial controls. To the extent that each of these types of information is 
held and or processed electronically, the security of some private computer systems 
come under federal regulation. 

Title V of the Gramm-Leach-Bliley Act (P.L. 106-102, 15 USC Chpt. 94, 
§680 1 el seq. ) requires financial institutions to protect the security and confidentiality 
of their customers' nonpublic personal information. The Act authorizes various 
federal regulatory agencies, (the Comptroller of the Currency, the Security Exchange 
Commission, the Federal Deposit Insurance Corporation, et al.) to coordinate the 
development of regulations for meeting this requirement. Each of these federal 
agencies is authorized to enforce the regulations for those institutions in their 
jurisdiction. The regulations (16 CFR Part 314) require financial institutions to 
develop, implement, and maintain a comprehensive information security program 
that contains appropriate administrative, technical, and physical safeguards. Such a 
program should include the designation of an employee to coordinate the program, 
risk assessments, regular tests and monitoring of safeguards, and a process for 
making adjustments in light of test results and/or changes in operations or other 
circumstances that may impact the effectiveness of the program. 

The Health Insurance Portability and Accountability Act of 1996, (P.L. 104- 
191, Title II, Subtitle F, Sec. 262, 42 USC 1 320d et seq.) authorizes the Secretary of 
Health and Human Services to adopt standards that require health plans, health care 
providers, and health care clearinghouses to take reasonable and appropriate 
administrative, technical and physical safeguards to: ensure the integrity and 
confidentiality of individually identifiable health information held or transferred by 
them; to protect against any reasonably anticipated threats, unauthorized use or 
disclosure; and to ensure compliance with these safeguards by officers and 
employees. These security standards were adopted in 45 CFR Part 164, Subpart C. 
The Secretary assigned responsibility for enforcing these security standards to the 
Center for Medicare and Medicaid Services. 

Besides these privacy-oriented rules, the Sarbanes-Oxley Act of 2002 (P.L. 
107-204, §404) authorizes the Security Exchange Commission to prescribe 
regulations requiring entities that produce annual financial reports pursuant to 
sections 13(a) or 15(d) of the Securities Exchange Act of 1934 to contain a report on 
the firm's internal financial controls. The report must state the responsibility of 
management for establishing and maintaining an adequate internal control structure 
and procedures for financial reporting and assess the effectiveness of those structures 
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and controls. External audits must attest to and report on management's assessments. 
"Internal control" is defined as a process that provides assurance regarding the 
reliability of financial reporting. It pertains to the maintenance of records that 
accurately reflect the transactions and dispositions of assets and prevents or detects 
unauthorized acquisition, use, or disposition of assets. While there is no specific 
mention of computer security, the Committee of Sponsoring Organizations of the 
Treadway Commission (COSO) Framework for Enterprise Risk Management, which 
is mentioned in the regulation (17 CFR Part 210, 228, et al.) as the kind of evaluation 
process that would be acceptable, specifically includes the security of information 
technology (systems, software, applications) as a critical element to assess. 

Working with the Private Sector 

Continuing the basic policy outlined in the Clinton Administration's Presidential 
Decision Directive No. 63, the Bush Administration's Homeland Security 
Presidential Directive No. 7 (HSPD-7), released December 17, 2003 states that it 
is U.S. policy to enhance the protection of the nation's critical infrastructure. Certain 
agencies were designated as lead agencies to work with their private sector 
counterparts. In addition to assigning the Secretary of Homeland Security the 
responsibility of coordinating the nation's overall efforts in critical infrastructure 
protection across all sectors, HSPD-7 also designates the Department of Homeland 
Security (DHS) as lead agency for the nation's information and telecommunications 
sectors. As a lead agency, DHS is to share threat information, help assess 
vulnerabilities, and encourage appropriate protective action and the development of 
contingency plans. 

In addition, HSPD-7 directs the Secretary of Homeland Security to maintain an 
organization that serves as a focal point for securing cyberspace. That organization 
is to: facilitate collaboration between federal departments and agencies, state and 
local governments, the private sector, academia, and international organizations. Its 
mission includes: 24x7 analysis and warning; information sharing; vulnerability 
reduction; mitigation; and, aiding national recovery. The National Cyber Security 
Division was established within the Information Analysis and Infrastructure 
Protection (IA/IP) Directorate in June 2003, leveraging capabilities transferred to 
DHS by the Homeland Security Act of 2002, such as elements of the National 
Infrastructure Protection Center from the FBI and FedCIRC from the General 
Services Administration. 

Beyond making DHS responsible for coordinating the national effort to protect 
critical infrastructure across all sectors, the Homeland Security Act of 2002 also 
authorizes the DHS (through the Undersecretary for Information Analysis and 
Infrastructure Protection), as appropriate and upon request, to provide the private 
sector with analysis and warning of threats and vulnerabilities of computer systems. 
It also authorizes the Undersecretary for IA/IP, in coordination with the 
Undersecretary for Emergency Preparedness and Response, as appropriate and upon 
request, to provide the private sector with crisis management support in response to 
a threat or attack on critical computer systems, and technical assistance to help 
recover from major failures of critical computer systems. The Act also authorizes the 
Undersecretary for IA/IP to establish a "NET Guard" comprised of local teams of 
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experts to help communities respond to and recover from attacks on information and 
telecommunication systems. 

The National Strategy to Secure Cyberspace, mentioned earlier, also 
recommends that the Department of Homeland Security be responsible for a number 
of tasks associated with interacting with the state, local, and private sector. Some of 
these have been captured in IISPD-7. Among the recommended tasks are: establish 
a 24x7 synoptic view of the health of the information infrastructure; share threat and 
warning information; explore the use of exercises as a way to test coordination of 
public and private incident management, response and recovery capabilities; 
coordinate development of a national threat assessment; encourage a national 
voluntary patch clearinghouse; encourage the advanced training of cybersecurity 
professionals; and, encourage the development of broadly accepted certification 
program for those professionals. 

As part of its authority to develop standards for federal computer systems, NIST 
is also authorized by FISMA to assist the private sector, upon request, in using and 
applying security standards that NIST develops. 

Investigating and Prosecuting Computer Crimes 

The Counterfeit Access Device and Computer Fraud and Abuse Act of 1984 

(P.L. 98-473, Title II, §2102(a), 18 USC 1030, as amended) makes certain acts 
associated with the unauthorized access to computers a federal crime. For example, 
it is a crime to knowingly gain unauthorized access to a nonpublic federal computer 
or a computer used by or for the federal government. It is also a crime to knowingly 
gain unauthorized access to a computer and obtain national security information, 
financial or credit information, or any information from a protected computer. A 
protected computer is one used by or for a financial institution, the federal 
government, or one used in interstate or foreign commerce and communication. It 
is also a federal crime to knowingly transmit a program, information, code, or 
command that causes damage to a protected computer. While the Attorney General 
has the primary authority to enforce federal laws, the Act also specifically states that 
the United States Secret Service has the authority, as does any other agency with such 
authority, to investigate the computer-related offenses covered by this section of the 
Act. 

The USA PATRIOT Act (P.L. 1 07-56, §506(a)) amended the above statute by 
adding that the Federal Bureau of Investigation (FBI) has primary authority to 
investigate offenses where espionage or national security is involved, except for 
offenses affecting the duties of the United States Secret Service. Such authorities are 
to be exercised in accordance with an agreement signed by the Secretary of the 
Treasury and the Attorney General. 

Section 105 of the PATRIOT Act authorizes the Director of the United States 
Secret Service to develop a national network of electronic crime task forces, modeled 
on the New York Electronic Crimes Task Force, for the purpose of electronic crimes, 
including potential attacks against critical infrastructure and financial payment 
systems. Section 816 of the PATRIOT Act also authorizes the Attorney General to 
establish regional computer forensic laboratories to provide forensic examinations 
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with respect to seized or intercepted computer evidence related to criminal activity, 
to provide training and education to other federal, state, and local law officials, and 
to assist other federal, state, and local law officials. 

Some of the ground-rules for investigating computer crimes are found in the 
Electronic Communications Privacy Act. (P.L. 99-508, USC Chapters 119,121, 
206). A number of these were modified in Title II of the USA Patriot Act. For 
example, prior to the amendments, tracking computer hackers via computer logs 
across jurisdictional areas required separate court orders from each jurisdiction. The 
USA Patriot Act allows investigators to get a single court order from any court of 
competent jurisdiction. Further discussion of these provisions is beyond the scope 
of this report. 

Research and Development and Developing Information 
Security Expertise 

The federal government has a number of programs aimed at developing 
computer security expertise. FISMA requires an agency's Chief Information Officer 
to provide training to personnel with significant security responsibilities. FISMA 
also requires the agency head to ensure the agency has sufficient personnel trained 
in information security. The Computer Security Act, which was superceded by 
FISMA, had authorized NIST to develop, in consultation with the Office of 
Personnel Management, guidelines for training agency employees in information 
security practices. The guidelines developed cover a range of needs from making 
users aware of security issues and practices to guidelines for agencies to use when 
developing training courses for people charged with securing computer systems. 
NSA has similar guidelines for training personnel in securing national security 
systems. 

The National Security Agency, citing its authorities under NSD-42 to develop 
standards for securing national security system and in response to PDD-63, also has 
established a National Information Assurance Education and Training Program, part 
of which includes the National Centers of Excellence in Information Assurance 
Education. The Centers' program selects certain universities who have developed 
programs in information assurance that meet criteria established by the Committee 
on National Security Systems. Following the release of PDD-63, the Clinton 
Administration began a program called Scholarship-for-Service (SFS) which, 
leveraging NSA's Center of Excellence program, seeks to help schools develop 
information security programs that could qualify for NSA's Centers program and to 
support students with 2-year scholarships. Upon graduation, students receiving SFS 
support would be required to work 2 years in the federal sector. The National 
Science Foundation was tasked with running this program. The Floyd D. Spence 
National Defense Authorization Act of FY2001 (P.L. 106-398, §922) authorized 
the Secretary of Defense to establish a similar program for the Department of 
Defense. 

In part to help develop a cadre of experts in information security, Congress also 
passed the Cyber Security Research and Development Act (P.L. 107-305). The 
Act authorizes the National Science Foundation to: award basic research grants in 
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areas that enhance computer security; to support the establishment of multi- 
disciplinary Centers for Computer and Network Security Research; to award grants 
to institutions of higher learning to establish or improve their programs and 
enrollments in computer and network security; to provide graduate assistance 
programs in computer and network security; to establish a graduate research 
fellowship program; and to establish a grant program to establish university programs 
to train students to pursue an academic career in computer and network security. The 
Act also authorized NIST to support the establishment of multi-disciplinary research 
partnerships in computer security between universities, government, profit, and non- 
profit entities; and, to establish a post-doctoral research fellowship program and a 
senior research fellowship program. 

In addition to supporting the development of national expertise in computer 
systems security, the federal government also conducts and supports research and 
development in computer systems security. As mentioned earlier in this report, 
NIST, DOD, and NSA are specifically authorized in FISMA and NSD-42, 
respectively, to conduct and support research in computer systems security. In 
addition, the Homeland Security Act of 2002 (Title II, Subtitle D) establishes within 
the Department of Justice the Office of Science and Technology. The Act authorizes 
this Office to conduct research, including research in tools and techniques that 
facilitate investigative and forensic work related to computer crimes. The Homeland 
Security Act of 2002 (§308) also authorizes the Undersecretary of Science and 
Technology of the Department of Homeland Security, when establishing university 
research centers, to consider universities with nationally recognized programs in 
information security. Although the Homeland Security Act of 2002 does not 
specifically call for research in this area, computer security makes up one of the 
portfolios of the Science and Technology Directorate. 

Conclusion 

Current Status. The roles and responsibilities of various federal 
departments and agencies in the area of computer security are relatively well defined. 
OMB and NIST are responsible for developing policy and standards, and for 
overseeing the implementation of those policies and standards, covering most of the 
federal government's computer systems. DOD, NSA, and the Director of Central 
Intelligence, working through the Committee on National Security Systems, are 
responsible for federal computer systems designated as national security systems. 
While inheriting the NCS and its responsibilities in the area of the NCS and 
telecommunications, the primary role of the Department of Homeland Security is to 
work with the private sector, state and local governments, and the public to protect 
the nation's information infrastructure (i.e. the Internet). The Secretary of Health and 
Human Services enforces regulations related to the privacy of individual health 
information held on private computer systems maintained by health care 
organizations. The SEC and other agencies with jurisdiction over financial 
institutions enforce regulations related to the privacy of individual financial 
information held on computer systems maintained by financial institutions. The SEC 
also enforces regulations related to the certification of internal financial controls 
(including those associated with a company's computer systems) for a large number 
of private sector firms. A number of agencies have the authority to investigate and 
prosecute federal computer crimes, in particular the Department of Justice and the 
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Secret Service (now part of DHS). NSA, NSF, NIST and DHS are specifically 
authorized to support research and development in computer security and to develop 
the nation's expertise in this area. 

Issues. However, at least three issues have arisen concerning these roles 
and responsibilities: 1) the role the federal government in regulating the nation's 
privately owned and operated critical information infrastructure; 2) the relative roles 
of the Department of Homeland Security and the National Security Agency in setting 
policy and standards for computer and telecommunication systems handling critical 
infrastructure information; and, 3) the relative roles of the National Cyber Security 
Division and the National Communication System in setting policy and standards for 
dealing with the private sector. 

Federal Regulation of the Private Sector. The current role of the federal 
government in regulating private sector computer systems is primarily derived from 
its interest to protect the privacy of individually identifiable information held on 
private computer systems or to improve the oversight of financial reporting by the 
private sector. Security of a company's or an individual's computer system or the 
Internet as a whole are not the policy objective. There is a long running debate about 
whether the federal government should take a more active regulatory role in 
improving private sector computer security. Two options that have been discussed 
include requiring the development of more secure computer software and/or 
requiring users to improve and maintain the security of their systems over time. A 
number of critics of the National Strategy to Secure Cyberspace have asserted that 
the Strategy did not go far enough in either of these directions in its 
recommendations. 5 These critics tend to come from the developers of security 
products and services. Both software developers and software users take the position 
that it is in a company's interest to sell and maintain secure products and systems and 
that market forces are the best way to ensure cost-effective security. Current policy 
is to engage the private sector and collaborate in efforts to raise awareness of security 
issues and to disseminate best practices. 

Critical Infrastructure Information. The Homeland Security Act of 
2002 defined a class of information called critical infrastructure information. Critical 
infrastructure information is information coming from the private sector, and state 
and local governments to the Department of Homeland Security concerning the 
identification of critical assets, their vulnerabilities, measures taken to protect them, 
and suspicious incidents. The Act gives the Secretary of Homeland Security 
authority to develop the information systems (as well as the protocols, etc.) needed 
to facilitate the sharing, storage, and analysis of this information. While not 
necessarily considered classified information, critical infrastructure information is 
considered sensitive and exempt from public disclosure. It might also be held and 
transmitted over systems that also handle classified or other types of sensitive 
information that would make the information systems handling it a national security 



5 For example, see, White House Scales Back Cyberspace Plan. The New York Times. 
February 14, 2003. [http://www.nytimes.com/2003/02/15/technology] . This website was 
last accessed on April 16,2004. Also, Bush's Cybersecurity Plan Falls Short, ReportSays. 
Computerworld. December 23, 2002. page 10. 
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system which falls within the jurisdiction of the Committee on National Security 
Systems and NSA. Who takes the lead in developing the policies and standards 
governing the systems being designed to handle this information? 

Computer and Communication Security. Lastly, the Information 
Protection side of the Information Analysis and Infrastructure Protection Directorate 
at DHS has both a National Cyber Security Division and the National 
Communication System. As the technologies of telecommunications and computer 
become even more inextricable, there may appear to be some redundancies in the 
roles and responsibilities of these two entities. The role of the NCS is well 
established from over 40 years of experience. Its jurisdiction, while wide, still deals 
primarily with those assets considered necessary for national security related 
communications or during times of national emergencies. The NCSD has a much 
wider mandate; to work with all owners, operators, and users of the nation's 
information infrastructure. There is some debate about whether these two functions 
should merge or remain separate. 



